Immutable Releases [Preview]

[glider-bot]

Value Prop

Immutable Releases introduces enhanced integrity and security for software distributed via GitHub Releases. With this feature, repository maintainers can publish releases and associated assets as immutable, ensuring that once a release is published, its assets and associated Git tag cannot be altered or deleted. This prevents supply chain attacks that rely on asset modification or tag movement after publication, and provides users with stronger guarantees that the artifacts they consume are exactly as originally published. Immutable Releases also introduces release attestations, allowing consumers to verify the origin and integrity of artifacts—even outside of GitHub.

Expected Outcome

• Organizations and open-source projects can confidently distribute software through GitHub Releases, knowing assets and tags cannot be tampered with after publication.
• Consumers and downstream automation will be able to reliably verify that downloaded artifacts are authentic and unmodified, reducing risk in the software supply chain.
• The introduction of release attestations provides verifiable proof of artifact origin and content, supporting secure end-to-end software delivery.
• Immutable Releases aligns GitHub Releases with best practices for provenance and immutability, supporting compliance, security, and trust for all users.